Main menu

Access your Azure VMs through a Web Browser with ThinRDP

Sometimes, especially in enterprise environments, firewalls prevent connecting via RDP to Azure Windows VMs over port 3389. Quite often, the only outgoing ports being open in the network are 80 and 443 for HTTP(S). Additionally, RDP-over-SSL based technologies like Azure RemoteApp require users to install an app on the client, which also imposes a challenge in many cases, e.g. due to corporate policies.

Wouldn’t it be nice to access your Azure VMs via the browser in an RDP-like manner, without the need for special client-side software and networking configuration? Well, that can actually be done by installing ThinRDP on the target VM. This post will show you how to achieve that in a completely automated manner, using PowerShell with an Azure Resource Manager template and a custom script extension.

ThinRDP

Thinfinity Remote Desktop (commonly known as ThinRDP) is offered by Cybele Software, Inc. and is available either as Server or Workstation edition. The Server edition is targeted at multi-user Terminal Server-style environments, while the Workstation edition provides a plain web-based RDP client for remote access to single VMs, leveraging technologies like HTTPS, WebSockets and HTML5.

The Workstation edition is ideal for our purposes, and it can even be used for personal or commercial use at no charge, you can ask for a free license here. In order to get started, it’s also possible to download a free 30-day trial on their website, that’s what I did for this post.

On top of its RDP-over-SSL capability, ThinRDP Workstation provides powerful features like support for RemoteFX, remote audio & printing, Active Directory integration and a nice file transfer capability we will have a look at later in the post.

Getting Started

We will deploy our sample virtual machine by using an Azure Resource Manager (ARM) template via PowerShell, as described here. The template defines all resources to be deployed within a Resource Group using a declarative approach in terms of a JSON document.

If you know how to work with ARM templates and want to get started right away without understanding all the implementation details, you can download the template & PowerShell script from my GitHub repo ThinRdpOnAzure and deploy it into your Azure subscription now using the ‘Deploy to Azure’ button. In this case move on to chapter Connect to the VM through the Browser below in order to access your machine after it has finished provisioning.

The ARM Template

The resource manager template will deploy the following resources in order to showcase ThinRDP web access to the VM (taken from the Resource Group view in the Azure Preview Portal):

Note: the custom script extension is not shown in the resource group view, as it is executed within the VM during provisioning of the template.

Parameters

The template defines the following customizable parameters for the deployment:

adminUsername

Username of RDP account

adminPassword

Password of RDP account

location

Datacenter location for all template resources

newStorageAccountName

DNS prefix for VM storage account

dnsName

DNS prefix for VM

extensionLocation

Blob container URL of the custom script extension

extensionScript

File name of the custom script extension

Storage Account

The template will provision a storage account as follows:

All resources specify their location using the location parameter described above in order to stay within the same datacenter. The storage account type is defined in the variables section of the template, for options see Azure Storage Replication.

Virtual Network

The VM will be deployed into a virtual network (VNet) that is defined like this:

The template defines the IP address ranges for the VNet overall and for a single subnet that will host our VM.

Public IP Address

In order to be able to access our VM over the public internet we need to provision a dedicated public IP address resource:

The public IP will be associated with the dnsName prefix specified in the parameters section above.

Load Balancer

You might now say: why do I need a load balancer (LB) if I want to deploy only a single VM? Well, despite its name, the Azure LB does not only distribute traffic between multiple instances, but also provides NAT capabilities, for details I recommend to read this post.

As ThinRDP Workstation configures its web server for listening on port 8081by default, and we want to leverage regular SSL port 443 for incoming traffic, we need a corresponding NAT mapping. This is done in the inboundNatRules property of the load balancer resource as follows:

If you wanted to also add a NAT rule for regular RDP access via port 3389 you can do so, as shown in the load balancer configuration below:

The load balancer gets attached to the public IP address specified above via the frontendIPConfigurations property.

Network Interface

Same as the resources described so far, network interface cards (NICs) in the ARM world are also configured as dedicated objects in the template:

The NIC resource defines the subnet association to the VNet, as well as the IP address allocation method (dynamic/static) for the address pool of that subnet. The NIC gets associated to the backendAddressPools of the load balancer, so the LB knows where to route traffic to. The NIC also gets linked to the NAT rule(s) of the load balancer (loadBalancerInboundNatRules).

Virtual Machine

Finally, we get to the declaration of our virtual machine, which also contains the custom script extension for the installation of ThinRDP. Let’s first have a look at the core VM configuration (without extension):

This looks like any other VM resource in ARM, specifying parameters like VM name, size, image, RDP user, storage location, etc. Note that the VM gets bound to the NIC we specified above and thus will also be targeted by the NAT rules defined in the load balancer.

Custom Script Extension

The configuration of the custom script extension is part of the Virtual Machine resource above. As you can see in the picture below, it is contained in the resources section of the VM resource:

Basically, there are two properties that define which extension to execute and where to find it:

You need to make sure that the blob container in Azure storage has public read access defined, so the provisioning engine can retrieve the extension script from that location. You could also use a Shared Access Signature to secure that URL, which I left out here for the sake of simplicity.

Let’s have a look at the script extension itself now, it’s fairly simple (I called it SetupThinRdp.ps1):

The script creates a directory c:\temp on the VM, downloads the ThinRDP Workstation trial setup executable from a blob storage URL (that has to be configured for public read access) and then starts an unattended setup. This will install ThinRDP with its default configuration in the VM, i.e. after finishing the ThinRDP web server will start listening on port 8081. The setup also opens the corresponding port in the local Windows firewall of the VM.

Deployment

If you like, you can deploy the template via the ‘Deploy to Azure’ button in my GitHub repo.

Clicking the button will take you to the Azure Preview Portal and open the Parameters section of the template:

Just enter the parameters described in chapter Parameters above, create a new Resource Group, accept the legal terms and off you go.

If you require a more automated approach, you can deploy the template to a new Azure Resource Group using PowerShell as follows (you can find the script in my repo here):

Note that you need to have both the template and the parameters file in the PowerShell execution directory. The file ThinRdpVm.json contains the ARM template itself, while the parameters are defined in ThinRdpVm.param.json. You will probably have to change the values from the repo in order to get unique DNS names for your VM and storage account.

You should also create your own storage account, upload the ThinRDP setup executable as well as the custom script extension file. Don’t forget to make the blob container read accessible, as mentioned before. The URL to your storage account has to be specified in the extensionLocation parameter in ThinRdpVm.param.json as well as in SetupThinRdp.ps1!

Also note that for this post, I was still using Azure PowerShell version 0.9.8. In the PowerShell 1.0 Preview Switch-AzureMode will be deprecated and the ARM cmdlets renamed, as described here.

Connect to the VM through the Browser

After the deployment has finished (indicated either in the notification section of the Preview Portal or in PowerShell by a ProvisioningState of ‘Succeeded’), you can open a web browser (I would suggest Chrome with ThinRDP) and navigate to the URL of the VM. As described above, the DNS name is associated with the Public IP Address resource, you can find it in the Preview Portal:

So enter your address (e.g. https://thinrdp.westeurope.cloudapp.azure.com) into the browser, accept the certificate warning and you will get an authentication popup like this:

By default, ThinRDP adds an additional layer of security. You can logon as user admin, password admin (which is the standard setting). If all goes well, you will now see the landing page of the ThinRDP web server:

In the Config section you can change display settings, enable WebSocket compression, configure printer and audio access, etc. I recommend to switch on Smart Sizing in the Experience tab in the configuration, which will let you change the size of your browser with the RDP web session scaling along.

Connecting to the VM with the ‘Remote desktop’ option selected will present another logon dialog, in which you need to enter the admin credentials specified in the ARM template (adminUsername and adminPassword).

And voilà, we have managed to logon to our VM in the browser:

File Transfer

If you don’t need full RDP-like web access, but only want to transfer files between your local box and the VM in Azure, you can connect using the ‘File transfer’ option on the ThinRDP landing page. This will present you an explorer-style view, showing the local file system of the VM and providing upload/download capabilities:

Conclusion

If you can’t access your Azure VMs via regular RDP due to blocked ports in the network or you don’t want to install additional clients, ThinRDP is a powerful option to access your virtual Windows machines via the browser. The ARM template and deployment model described in this post let you set up ThinRDP with minimal effort.

You might also want to use this approach to set up a dedicated jumpbox per virtual network from where to hop on to other machines (Windows or Linux) in Azure that do not have ThinRDP installed, avoiding common firewall blocking issues.

I already have a VM setup and would like to install Thinfinity. Are there instructions on how to do that?
i.e I don’t want to create a new VM with ARM template as I already have a VM created with public ip.